Overview

overview

10

Static

static

3

25fc6bc420...87.exe

windows10-2004-x64

10

Resubmissions

02-07-2024 20:30

240702-y99q7axgja 10

02-07-2024 20:21

240702-y449hsxdja 10

15-06-2024 12:25

240615-plyjksthpp 10

Analysis

  • max time kernel
    328s
  • max time network
    339s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 20:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe

  • Size

    9.9MB

  • MD5

    36738debf327efec480324af18b94766

  • SHA1

    5485d691b89a483f823a5be4b3c2b9a3a755f3fd

  • SHA256

    25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587

  • SHA512

    d58b10fcd8cf88cda44e9fd1bd7a7d5c029ccf920464290152c9f005382b3720b6a84ef1750a4595c4611905cc22f358daa0fb5a2e7de4ee51be1907c6c3c64e

  • SSDEEP

    196608:JkSJiPMvxwqNSb4OFVT20XYwO63UwxtQLODByENIUMTnh:OQmkwqNSb4OFV2ZwOnwxtsqNTqnh

Score
10/10
amadey237e24trojan

Malware Config

Extracted

Family

amadey

Version

4.30

Botnet

237e24

C2

http://77.91.77.140

Attributes
  • install_dir

    128c262c3e

  • install_file

    Hkbsse.exe

  • strings_key

    290b81e8c919db72c216d14cb1d817dd

  • url_paths

    /g9bkfkWf/index.php

rc4.plain

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 35 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe
    "C:\Users\Admin\AppData\Local\Temp\25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4928
    • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3860
  • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3876
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /7
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4476
  • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:4928
  • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:4724
  • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1728
  • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:3472
  • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    1⤵
    • Executes dropped EXE
    • Suspicious behavior: EnumeratesProcesses
    PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\124900551406
    Filesize

    85KB

    MD5

    25a3e9d7dfbf1a753bd241df976fd6aa

    SHA1

    f393e862de13aa5d701fb58a556664117914bce2

    SHA256

    411c504dcf3279cb5b1d72f23d41dcba091682cff0f5cdbc4381f82dcb21ccbf

    SHA512

    e5c00978fc85708e7ab3a7f73e0da4a1fcaa2368be6e823b28fa5f03c7f56649b47c5217477e793ed5009fafa183fb025b66ce155076c0be8e5d64aaaa2bd82a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\124900551406
    Filesize

    82KB

    MD5

    55b52d0362d80023e9e5bd23174da4a0

    SHA1

    cd6e841cf223db9f5aaa91c6ba0f1fedc2af74a4

    SHA256

    f5c44c0c4b354296c6b607b9d66ee90493984e25ae0d07eb18e6ea498c97dd5b

    SHA512

    7b2f088f3119475aa4a76686e34812ce61785bb8b498d0ddff44a1c2ac5b93f855bfeac50908eddcf0731588706bd9de9029964206dd14266040ce25fef3ef69

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\128c262c3e\Hkbsse.exe
    Filesize

    9.9MB

    MD5

    36738debf327efec480324af18b94766

    SHA1

    5485d691b89a483f823a5be4b3c2b9a3a755f3fd

    SHA256

    25fc6bc420b8a78e3d6b8faf4bbf0e50dc5f152842e43663fa89f35e2faf8587

    SHA512

    d58b10fcd8cf88cda44e9fd1bd7a7d5c029ccf920464290152c9f005382b3720b6a84ef1750a4595c4611905cc22f358daa0fb5a2e7de4ee51be1907c6c3c64e

    Download Submit
  • memory/1356-85-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/1356-83-0x0000000001850000-0x0000000001851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1728-74-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/3472-80-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/3860-20-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/3860-19-0x0000000001740000-0x0000000001741000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3860-23-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/3860-24-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/3860-34-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/3876-37-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/3876-36-0x0000000001760000-0x0000000001761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-41-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-47-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-46-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-40-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-48-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-52-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-51-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-50-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-49-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4476-42-0x00000195665E0000-0x00000195665E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4724-59-0x0000000001710000-0x0000000001711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4724-60-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/4928-3-0x0000000000D4B000-0x00000000012C0000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/4928-54-0x00000000031F0000-0x00000000031F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4928-55-0x0000000000220000-0x00000000011E6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/4928-18-0x0000000000D4B000-0x00000000012C0000-memory.dmp
    Filesize

    5.5MB

    Download
  • memory/4928-17-0x0000000000CE0000-0x0000000001CA6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/4928-5-0x0000000000CE0000-0x0000000001CA6000-memory.dmp
    Filesize

    15.8MB

    Download
  • memory/4928-0-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4928-1-0x0000000000CE0000-0x0000000001CA6000-memory.dmp
    Filesize

    15.8MB

    Download